CVE-2011-3193

NameCVE-2011-3193
DescriptionHeap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-117-1
Debian Bugs641738

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pango1.0 (PTS)buster1.42.4-8~deb10u1fixed
buster (security)1.42.4-7~deb10u1fixed
bullseye1.46.2-3fixed
bookworm1.50.12+ds-1fixed
trixie1.52.0+ds-1fixed
sid1.52.1+ds-1fixed
qt4-x11 (PTS)buster4:4.8.7+dfsg-18+deb10u1fixed
buster (security)4:4.8.7+dfsg-18+deb10u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pango1.0source(unstable)1.28.3-1
qt4-x11sourcesqueeze4:4.6.3-4+squeeze2DLA-117-1
qt4-x11source(unstable)4:4.7.4-1641738

Notes

affected code in pango1.0 removed earlier, but this is the version checked (lenny is affected)

Search for package or bug name: Reporting problems